InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Massachusetts AG sues Department of Education for failure to discharge loans
On October 22, the Massachusetts attorney general filed an action in the U.S. District Court for the District of Massachusetts challenging the U.S. Department of Education’s (DOE) continued collection of federal student loan debt incurred by over 7,000 individuals to attend a now closed for-profit college. The complaint alleges that, in 2015, the attorney general submitted an application to the DOE on behalf of the individuals who attended the for-profit school to have their federal loans forgiven due to the institution’s allegedly fraudulent conduct. The attorney general asserts that its application for loan discharge was supported by evidence of the institution’s various wrongful conduct towards Massachusetts students, and its submission established a defense to the enforceability of the underlying federal student loan debt. However, the complaint asserts that the DOE did not grant the requested loan relief and instead has continued collection efforts on debts subject to discharge under the attorney general’s application. The attorney general is seeking an order to set aside the DOE’s decision to continue collection efforts as “arbitrary and capricious” in violation of the Administrative Procedure Act and to declare that Massachusetts borrowers have established a defense to repayment of their federal student loans.
22 AGs and FTC Commissioner Chopra oppose HUD’s disparate impact proposal
On October 18, 22 state attorneys general submitted comments opposing HUD’s proposed rule amending the agency’s interpretation of the Fair Housing Act’s disparate impact standard (also known as the “2013 Disparate Impact Regulation”), arguing the proposal would “render disparate impact liability a dead letter under the Fair Housing Act (FHA).” As previously covered by InfoBytes, in August, HUD issued the proposed rule, to bring the rule “into closer alignment with the analysis and guidance” provided in the 2015 Supreme Court ruling in Texas Department of Housing and Community Affairs v. Inclusive Communities Project, Inc. (covered by a Buckley Special Alert) and to codify HUD’s position that its rule is not intended to infringe on the states’ regulation of insurance. Specifically, the proposal codifies the burden-shifting framework outlined in Inclusive Communities, adding five elements that a plaintiff must plead to support allegations that a specific, identifiable, policy or practice has a discriminatory effect. Moreover, the proposal provides methods for defendants to rebut a disparate impact claim.
In the comment letter, the attorneys general argue that the proposal ignores “the Supreme Court’s binding interpretation of the FHA” in Inclusive Communities, stating that the Court “emphasiz[ed] the continued importance of the FHA’s disparate impact theory of liability in advancing the nation’s efforts to advance justice and equality.” Additionally, the attorneys general suggest that the proposal ignores HUD’s statutory mandate and is “arbitrary and capricious in light of its numerous substantive defects.” The attorneys general assert that no changes to the rule are necessary, as there are no revisions “that would add clarity, reduce uncertainty, decrease unwarranted regulatory burdens, or otherwise assist in determining lawful conduct.” The letter concludes with a threat of a “meritorious legal challenge” should HUD approve the changes.
Similarly, on October 16, FTC Commissioner, Rohit Chopra, voiced his concerns with the proposal in a comment letter, stating that it “appears to fundamentally misunderstand how algorithms, big data, and machine learning work in practice,” and that “it would provide safe harbors to the same technologies at issue in HUD’s own action against [a social media company].” Chopra opposes HUD’s proposal for three reasons: (i) algorithms can provide discriminatory results because they are not neutral; (ii) safe harbors should not be created “around technologies that are proprietary, opaque, and rapidly evolving”; and (iii) incentives are distorted by “outsourcing [the] liability for algorithmic discrimination to third parties.” Chopra concludes that the proposal should not be finalized because it “moves enforcement against discrimination backwards.”
State AGs urge CFPB to reconsider proposed changes to HMDA
On October 15, a coalition of 13 state attorneys general submitted a comment letter in response to the CFPB’s Advance Notice of Proposed Rulemaking issued last May seeking information on the costs and benefits of reporting certain data points under HMDA. (Previously covered by InfoBytes here.) In the comment letter, the AGs argue, among other things, that the proposed rule would reduce transparency and “undermine the ability of local public officials to investigate unfair and discriminatory mortgage lending practices.” The AGs assert that the Bureau’s proposal to limit the data financial institutions are required to report to the CFPB under HMDA will open the door for financial institutions to engage in discriminatory lending, pointing to the 2018 national HMDA loan-level data released on August 30 (InfoBytes coverage here), which, according to the AGs, show “disturbing trends” that demonstrate the additional data fields are helping to achieve HMDA’s objectives. Specifically, the AGs cite to (i) disparities in manufactured home lending; (ii) racial and ethnic data that points to potential disparities in lending; (iii) the importance of collecting all data on denial reasons; (iv) loan pricing data as an indicator of fair lending; and (v) the importance of collecting debt-to-income and combined loan-to-value ratios.
The New York AG’s office also sent a second letter the same day in response to a Notice of Proposed Rulemaking (NPRM) issued last May by the Bureau that would permanently raise coverage thresholds for collecting and reporting data about closed-end mortgage loans and open-end lines of credit under the HMDA rules. (Previously covered by InfoBytes here.) The AG’s office argues that increasing the reporting threshold “would exempt thousands of lenders from reporting data” and would “inhibit the ability of communities and state and local law enforcement to ensure fair mortgage lending in New York and elsewhere, and violate the Administrative Procedure Act” since it fails to consider the full cost of the proposed rule on the states. Specifically, the AG’s office contends that the NPRM will (i) exempt a large number of depository institutions leading to significance loss of data on a local level; (ii) leave discriminatory lending in the rural and multifamily lending markets unchecked; and (iii) guarantee predatory lending if the threshold for open-end reporting is permanently set at 200 loans.
California governor signs CCPA amendments
On October 11, the California governor signed several amendments to the California Consumer Privacy Act (CCPA) and other privacy-related bills. As previously covered by a Buckley Special Alert, AB 874, AB 1355, AB 1146, AB 25, and AB 1564 leave the majority of the consumer’s rights intact in the CCPA and clarify certain provisions—including the definition of “personal information.” Other exemptions were added or clarified regarding the collection of certain data that have a bearing on financial services companies. Notable revisions to the CCPA include the (i) “personal information” definition; (ii) FCRA exemption; (iii) employee exemption; (iv) business individual exemption; (v) verification and delivery requirements; (vi) privacy policy and training requirements; (vii) collection of information; and (viii) vehicle/ownership information exemption. The various amendments are effective on January 1, 2020, the same day the CCPA becomes effective.
Additionally, on October 10, the California attorney general released the highly anticipated proposed regulations implementing the CCPA. See the Buckley Special Alert for details of the proposed regulations.
Special Alert: California attorney general releases proposed CCPA regulations
Buckley Special Alert
Last week, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA — which was enacted in June 2018 (covered by a Buckley Special Alert), amended several times and with the most recent amendments signed into law on Oct. 11, and is currently set to take effect on Jan. 1, 2020 — directed the California attorney general to issue regulations to further the law’s purpose.
* * *
Click here to read the full special alert.
If you have any questions about the CCPA or other related issues, please visit our Privacy, Cyber Risk & Data Security practice page, or contact a Buckley attorney with whom you have worked in the past.
California attorney general releases proposed CCPA regulations
On October 10, the California attorney general released the highly anticipated proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA—which was enacted in June 2018 (covered by a Buckley Special Alert), amended in September 2018, amended again in October 2019 (pending Governor Gavin Newsom’s signature), and is currently set to take effect on January 1, 2020 (Infobytes coverage on the amendments available here and here)—directed the California attorney general to issue regulations to further the law’s purpose. The proposed regulations address a variety of topics related to the law, including:
- How a business should provide disclosures required by the CCPA, such as the notice at collection of personal information, the notice of financial incentive, the privacy policy, and the opt-out notice;
- The handling of consumer requests made under the CCPA, such as requests to know, requests to delete, and requests to opt-out;
- Service provider classification and obligations;
- The process for verifying consumer requests;
- Training and recordkeeping requirements; and
- Special requirements related to minors.
The California attorney general will hold four public hearings between December 2 and December 5 on the proposed regulations. Written comments are due by December 6.
Notably, the Notice of Proposed Rulemaking states that “the adoption of these regulations may have a significant, statewide adverse economic impact directly affecting business, including the ability of California businesses to compete with businesses in other states” and requests that the public consider, among other things, different compliance requirements depending on a business’s resources or potential exemptions from the regulatory requirements for businesses when submitting comments on the proposal.
Buckley will follow up with a more detailed summary of the proposed regulations soon.
New York AG sues student loan servicer for alleged PSLF and IDR failures
On October 3, the New York attorney general announced an action filed against a national student loan servicer for allegedly failing to properly administer the Public Service Loan Forgiveness (PSLF) program and mishandling income driven repayment (IDR) plans. In the complaint, the attorney general asserts that, in violation of the Consumer Financial Protection Act (CFPA) and New York law, the servicer, among other things, (i) failed to accurately count borrower’s PSLF-qualifying payments; (ii) failed to provide timely explanations to borrowers for PSLF payment count determinations; (iii) failed to process IDR repayment plan paperwork accurately and timely; and (iv) lacked clear policies and procedures for addressing errors, resulting in inconsistent treatment of borrowers. As a result of the servicer’s alleged actions, the attorney general argues that borrowers’ loan balances increased, time was extended on repayment plans, and improper denials of PSLF were issued. The attorney general is seeking injunctive relief, restitution, and civil money penalties.
New York launches online whistleblower submission system
On October 2, New York’s Office of the Attorney General launched an online, open-source whistleblower submission system designed to enable witnesses to report information without compromising their identity. The N.Y.A.G. Whistleblower Portal allows whistleblowers to securely and anonymously submit information, while protecting individuals’ identity, location, and information provided. Whistleblowers will also be able to engage in two-way anonymous communications with the attorney general’s office through the portal. According to the press release, the attorney general’s office “is the first governmental agency in the United States to offer whistleblowers the capability to directly transmit documents and send and receive communications electronically without their identity being traceable.”
California addresses robocall spoofing
On October 2, the California governor signed SB 208, the “Consumer Call Protection Act of 2019,” which requires telecommunications service providers (TSPs) to implement specified technological protocols to verify and authenticate caller identification for calls carried over an internet protocol network. Specifically, the bill requires TSPs to implement “Secure Telephone Identity Revisited (STIR) and Secure Handling of Asserted information using toKENs (SHAKEN) protocols or alternative technology that provides comparable or superior capability by January 1, 2021. The bill also authorizes the California Public Utilities Commission and the Attorney General to enforce certain parts of 47 U.S.C. 227, making it unlawful for any person within the U.S. to cause any caller identification service to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
As previously covered by InfoBytes, in June 2019, the FCC adopted a Notice of Proposed Rulemaking (NPRM) requiring voice providers to implement the “SHAKEN/STIR” caller ID authentication framework. The FCC argued that once “SHAKEN/STIR” is implemented, it would “reduce the effectiveness of illegal spoofing and allow bad actors to be identified more easily.”
New York AG sues national coffee chain over data breach
On September 26, the New York attorney general announced a lawsuit against a national franchisor of a coffee retail chain for allegedly failing to protect thousands of customer accounts from a series of cyberattacks. According to the complaint, the attorney general asserts that, beginning in 2015, customer accounts containing stored value cards that could be used to make purchases in stores and online were subject to repeated cyberattack attempts, resulting in almost 20,000 compromised accounts and “tens of thousands” of dollars stolen. The attorney general alleges that, following the attacks, the company failed to take steps to protect the affected customers, such as notifying them of the unauthorized access, resetting account passwords, or freezing the stored value cards. The complaint also alleges that the retailer failed to conduct an investigation to determine the extent of the attacks or implement appropriate safeguards to limit future attacks. In addition, according to the complaint, in 2018, a vendor notified the company of another attack that resulted in the unauthorized access of over 300,000 customer accounts, and the company’s response included inaccurate representations to customers. The complaint asserts violations of New York’s data breach notification statute and violations of New York’s consumer protection laws. The attorney general is seeking injunctive relief, restitution, disgorgement, and civil money penalties.